Cut over to MISE v2 as sole ext_authz provider

.yamlfmt.yaml

@@ -3,7 +3,6 @@ match_type: doublestar
 exclude:
 - '**/zz_fixture_*.yaml'
 - 'frontend/deploy/templates/frontend.deployment.yaml'
-- 'frontend/deploy/templates/frontend-v2.deployment.yaml'
 - 'image-registry-policy/values.yaml'
 - 'image-registry-policy/deploy/templates/validatingadmissionpolicybinding.yaml'
 formatter:

.yamllint.yml

@@ -7,7 +7,6 @@ ignore:
 - 'admin/deploy/templates/ext-authz.authorizationpolicy.yaml'
 - 'admin/deploy/templates/admin.deployment.yaml'
 - 'frontend/deploy/templates/ext-authz.authorizationpolicy.yaml'
-- 'frontend/deploy/templates/ext-authz-misev2.authorizationpolicy.yaml'
 - 'frontend/deploy/templates/allow-ingress.authorizationpolicy.yaml'
 - 'frontend/deploy/templates/frontend.deployment.yaml'
 - 'istio/deploy/templates/istio-shared-configmap.yml'

dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_istio.yaml

@@ -14,13 +14,7 @@ data:
       envoyExtAuthzHttp:
         service: "mise/mise.mise.svc.cluster.local"
         port: "8080"
-        includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
-        pathPrefix: "/v1/EnvoyValidateRequest"
-    - name: "ext-authz-misev2"
-      envoyExtAuthzHttp:
-        service: "mise/misev2.mise.svc.cluster.local"
-        port: "8080"
-        includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter", "x-ms-mise-version"]
+        includeRequestHeadersInCheck: ["x-ext-authz", "mise-inbound-policies-to-filter"]
         pathPrefix: "/v1/EnvoyValidateRequest"
 ---
 # Source: istio/templates/ops-ingress.gateway.yaml
@@ -103,7 +97,6 @@ metadata:
 spec:
   hosts:
   - "mise.mise.svc.cluster.local"
-  - "misev2.mise.svc.cluster.local"
   endpoints:
   - address: "127.0.0.1"
   ports:

docs/mise.md

@@ -32,35 +32,3 @@ Microsoft Identity Service Essentials (MISE) is an internal Microsoft service pr
 - Istio enforces the decision (forward or reject).
 Note: This retrofit ensures that Geneva Action traffic is consistently validated through the same MISE-based framework, providing a unified security model for both ARM and Geneva-originated requests.
 
-# MISE v2 Deployment
-
-MISE v2 is deployed alongside v1 as a separate workload in the `mise` namespace. It uses a JSON-based configuration (via ConfigMap) instead of the environment-variable-based configuration used by v1.
-
-## Dual Frontend Routing
-
-Because Istio limits each workload to a single ext-authz provider, and because ext-authz calls bypass VirtualService routing entirely, header-based routing between MISE versions is achieved by running two separate frontend workloads, each with its own AuthorizationPolicy.
-
-```mermaid
-graph TB
-    Client[Client Request] --> Gateway[Istio Ingress Gateway]
-    Gateway --> VS{VirtualService<br/>x-ms-mise-version?}
-
-    VS -->|"v2"| FEv2[aro-hcp-frontend-v2]
-    VS -->|default| FEv1[aro-hcp-frontend]
-
-    FEv2 -->|"ext-authz-misev2<br/>provider"| MISEv2["misev2.mise<br/>(MISE v2)"]
-    FEv1 -->|"ext-authz<br/>provider"| MISEv1["mise.mise<br/>(MISE v1)"]
-```
-
-### Components
-
-- **Two ext-authz providers** defined in the Istio mesh config (`istio-shared-configmap`):
-  - `ext-authz` → `mise.mise.svc.cluster.local:8080`
-  - `ext-authz-misev2` → `misev2.mise.svc.cluster.local:8080`
-- **Two frontend Deployments and Services**: `aro-hcp-frontend` and `aro-hcp-frontend-v2`, identical except for which ext-authz provider their AuthorizationPolicy references
-- **VirtualService on the ingress gateway**: routes requests with `x-ms-mise-version: v2` header to `aro-hcp-frontend-v2`, all other traffic to `aro-hcp-frontend`
-- **Shared label** `app.kubernetes.io/part-of: aro-hcp-frontend` on both frontend deployments, used by policies that apply to both (metrics, admin access)
-
-### Why Not VirtualService-Based Routing at the MISE Layer
-
-Istio ext-authz calls bypass VirtualService routing. The Envoy `envoyExtAuthzHttp` filter connects directly to the service cluster endpoints, not through the HTTP routing pipeline. This means a VirtualService on `mise.mise.svc.cluster.local` cannot split ext-authz traffic by header — the split must happen upstream by routing to different frontend workloads, each bound to its own ext-authz provider.

frontend/deploy/templates/frontend.deployment.yaml

@@ -1 +1,125 @@
-{{ include "frontend.deployment" (dict "appName" "aro-hcp-frontend" "Values" .Values "Release" .Release) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: aro-hcp-frontend
+  name: aro-hcp-frontend
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  progressDeadlineSeconds: 600
+  replicas: {{ .Values.deployment.replicas }}
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: aro-hcp-frontend
+  strategy:
+    rollingUpdate:
+      maxSurge: 50%
+      maxUnavailable: 50%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: aro-hcp-frontend
+        app.kubernetes.io/part-of: aro-hcp-frontend
+        azure.workload.identity/use: "true"
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: '{{ if eq (int .Values.deployment.zoneCount) 0 }}kubernetes.azure.com/agentpool{{ else }}topology.kubernetes.io/zone{{ end }}'
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app: aro-hcp-frontend
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app: aro-hcp-frontend
+      serviceAccountName: '{{ .Values.serviceAccount.name }}'
+      containers:
+      - name: aro-hcp-frontend
+        image: '{{ .Values.deployment.imageName }}'
+        imagePullPolicy: Always
+        args: ["--clusters-service-url", "http://clusters-service.{{ .Values.clustersService.namespace }}.svc.cluster.local:8000", "--exit-on-panic={{ .Values.exitOnPanic }}", "--log-verbosity={{ .Values.logVerbosity }}"]
+        env:
+        - name: DB_NAME
+          valueFrom:
+            configMapKeyRef:
+              name: frontend-config
+              key: DB_NAME
+        - name: DB_URL
+          valueFrom:
+            configMapKeyRef:
+              name: frontend-config
+              key: DB_URL
+        - name: LOCATION
+          valueFrom:
+            configMapKeyRef:
+              name: frontend-config
+              key: LOCATION
+        - name: OTEL_EXPORTER_OTLP_ENDPOINT
+          value: "{{ .Values.tracing.address }}"
+        - name: OTEL_TRACES_EXPORTER
+          value: "{{ .Values.tracing.exporter }}"
+        - name: AUDIT_CONNECT_SOCKET
+          value: "{{ .Values.audit.connectSocket }}"
+        - name: AZURE_TOKEN_CREDENTIALS
+          value: "WorkloadIdentityCredential"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+        - containerPort: 8081
+          protocol: TCP
+        resources:
+          requests:
+            cpu: {{ .Values.deployment.resources.requests.cpu }}
+            memory: {{ .Values.deployment.resources.requests.memory }}
+{{- if ne .Values.deployment.resources.limits.memory "unlimited" }}
+          limits:
+            memory: {{ .Values.deployment.resources.limits.memory }}
+{{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 65532
+          runAsGroup: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        {{- if .Values.audit.connectSocket }}
+        volumeMounts:
+          - name: mdsd-asa-run-vol
+            mountPath: /var/run/mdsd
+        {{- end }}
+        startupProbe:
+          httpGet:
+            path: /healthz
+            port: 8443
+          periodSeconds: 10
+          failureThreshold: 30
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8443
+          initialDelaySeconds: 15
+          periodSeconds: 20
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8443
+          initialDelaySeconds: 5
+          periodSeconds: 10
+      {{- if .Values.audit.connectSocket }}
+      volumes:
+        - name: mdsd-asa-run-vol
+          hostPath:
+            path: /var/run/mdsd
+            type: Directory
+      {{- end }}
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30

frontend/deploy/templates/frontend.virtualservice.yaml

@@ -9,24 +9,6 @@ spec:
   gateways:
   - aks-istio-ingress/aro-hcp-gateway-external
   http:
-  - match:
-    - headers:
-        x-ms-mise-version:
-          exact: "v2"
-      uri:
-        regex: '.+'
-    headers:
-      request:
-        add:
-          mise-inbound-policies-to-filter: "{{ .Values.mise.policyLabel }}"
-      response:
-        add:
-          x-ms-served-by: "v2"
-    route:
-    - destination:
-        host: aro-hcp-frontend-v2
-        port:
-          number: 8443
   - match:
     - uri:
         regex: '.+'

frontend/deploy/templates/peerauthentication.yaml

@@ -10,16 +10,3 @@ spec:
   portLevelMtls:
     8081:
       mode: PERMISSIVE
----
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
-  name: aro-hcp-frontend-v2-metrics
-  namespace: '{{ .Release.Namespace }}'
-spec:
-  selector:
-    matchLabels:
-      app: aro-hcp-frontend-v2
-  portLevelMtls:
-    8081:
-      mode: PERMISSIVE